A firewall typically comprises a combination of hardware and software used to implement a communication policy between machines operating in a network environment. A network firewall commonly serves as a primary line of defense against external threats to an organization's computer systems, networks and critical information. A firewall may serve as a network gateway that applies a security policy to filter traffic between a network under private administrative control, such as a corporate intranet, and a public network such as the Intranet. A firewall also can be used to partition networks and to partition or to interconnect VPNs. A firewall may be used within a network to impose communications policies between sub-networks or machines within a network. A firewall may define different policies to govern communications between different networks, subnetworks or machines.
Information ordinarily is transmitted within networks in packets, and the term packet refers to a unit of data communicated within a network. A packet typically includes a packet source identifier and a packet destination identifier used to navigate the packet data through a network. The term packet may refer to a unit of data communicated at any level of the OSI protocol stack and between levels of the OSI stack.
A firewall inspects and filters packets at an interface between networks and passes or blocks packets based upon user-defined criteria. The filtering involves a decision making process that includes checking contents of packets entering or leaving an associated network and passing or denying passage of packets through the firewall depending upon whether the packets comply with predefined access rules.
A security administrator ordinarily configures firewall rules within a file. The firewall rules instruct a firewall engine as to which packets to pass and which to block. A typical firewall rule identifies a packet source, a packet destination, service group (e.g., port number and protocol) and an appropriate action such as to pass or drop a packet or report the packet. A firewall may have several network interfaces. The firewall intercepts and inspects packets that enter any of its network interfaces to identify matches between the packet contents and the security rules the firewall has been configured to enforce.
The following is an example firewall rule.
Source=ANY, Destination=192.148.120.12, Port=80, Protocol=TCP, Action=Accept, where 192.148.120.12 is an IP address that identifies a specific web server to which port 80 (HTTP) traffic is to be allowed; and ANY signifies all devices on the network (i.e., all addresses on the network).
The above firewall rule identifies a specific destination machine IP address as a condition for application of the rule, and indicates that any source machine address suffices to meet another condition for the application of the above rule. Thus, the above firewall rule is an example of a firewall rule that includes a pair of machine identifier dependent conditions.
One challenge with defining rules in terms of source and destination addresses is the need for an administrator to continually update firewall rules to keep abreast of changes in network configuration. Machines may be added or removed from a network, and machines' IP addresses can change from time to time, requiring corresponding changes to firewall rules. An added administrator burden can arise when defining or updating firewall rules that span non-contiguous IP addresses since a separate firewall rule may have to be configured for each such span. An administrator may choose to meet this additional burden by defining an over inclusive contiguous range of IP addresses that encompasses one or more extraneous IP addresses rather than define a separate firewall rule for each contiguous set of IP addresses. The former approach sacrifices security for convenience. The latter approach leads to management of a larger set of rules.
In complex networks in which changes are many and frequent, the need to update firewall rules to keep pace with changes to the configuration network can pose a significant administrative burden. For example, if a firewall rule specifies a set of WEB server destination addresses to which port 80 is to be allowed, and later, a new WEB server to which port 80 is to be allowed is added to the network, then a firewall administrator may be required to update the set of destination addresses in that rule.
Referring again to the rule set forth above, for instance, assume that an addition of a new web server at 192.148.120.13 to the network to which the firewall rule applies, requires the Destination field in the above rule to be modified to encompass the contiguous range, Destination=192.148.120.12-192.148.120.13. However, if the new IP address of the web server was 192.148.120.15, for example, and therefore, the two IP addresses did not fall within a contiguous range or an IP subnet, then the administrator could choose to sacrifice security for convenience by specifying an over inclusive range or subnet that includes the desired servers, but that also leaves holes, such that if a non-web server (e.g. a database server) was brought up at an address corresponding to one of these holes, it would have port 80 traffic allowed to it. Alternatively, the administrator could specify multiple separate firewall rules, one each for 192.148.120.12 and 192.148.120.17.